Sunday, November 04, 2007

Zayle Letzel Trojan

"Todo por ti Letzel"

What's the Zayle Trojan
The Zayle or Letzel is a trojan virus that attacks the USB devices, such as regular pen drives, USB storages, digital cameras, ipods, mp3 players, etc. This can be recognized when you see the hidden system file autorun.inf along an executable named crsvc.exe (Zarteck), this prevents the pen drive from being safely removed, and it may prevent the device from being formatted.

The autorun.inf file can be opened with notepad and a couple of text images can be seen (as shown below).

Zayle could be a rearrange of the name Elyza, and the message posted by the hacker reads "TODO POR TI LETZEL", which means "All for you Letzel". This could be dedicated either to the hacker's girlfriend or this could be dedicated to the architect Jan Letzel, who created the Hiroshima Peace Memorial, just mere speculation.


HowTo get rid of Zayle
  1. Disable the system restore feature. Go to the Control Panel -> System -> System Restore And disable the Restore system by clicking on the Deactivate System Restore on all units check box. Accept it and close this dialog window.
  2. From the Task Manager find a process named crsvc.exe and kill it.
  3. Disable the 'hide protected Operating system files' option from the folder options. Go to Tools -> folder options -> See -> Hide Protected operating system files and deselect this option, so the hidden system files appear listed on the explorer.
  4. From the explorer, do not open the pendrive with double click, this will re-enable the trojan. Explore it instead by right clicking on the drive letter icon.
  5. Delete the autorun.inf and the crsv.exe files.
  6. Open the regedit, Start menu -> run (or click [Win]+r then type regedit on the dialog box and accept. On the regedit explorer look for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and there you will find an entry named syslog that calls the crsvc.exe file, remove this entry and restart your computer.
  7. The infection is gone.

Zayle's Signature
Autorun signature left by this trojan at the autorun.inf file when it infects the pendrive (very creative and romantic):

[autorun]
open=crsvc.exe
shell\1=ZAYLE
shell\1\Command=crsvc.exe
shellexecute=crsvc.exe

TODO POR TI LETZEL (All for you Letzel)
[A heart text image]


[A rose text image]

Saturday, October 27, 2007

Enterprise Manager Troubleshooting

Most frequently seen problems with EM console have to do with non properly configured networking environments and skipping the dhcp warning at the installation phase. Proper networking configuration prerequisites have to be met before proceeding with installation.

1. DHCP issues.
Assigning a dynamic IP address makes the EM console to fail. Since the repository is configured with the environment it collects at install time, if a dynamic address is assigned, next time the computer unplugs (most frequently seen on laptop computers) EM stops working.

2. Use of IE with Enhanced Security Option enabled.
This is another issue frequently seen, when IE Enhanced Security option is enabled EM stops working, even though the console can be started.

3. Enterprise Manager can be accessed but Performance and maintenance tab request again for login credentials
This is another issue due to improperly configuring the networking and host name resolution environment. Oracle reads the hosts file to establish both the IP Address and the fully qualified host name. If it fails to properly read the hosts file, or if this doesn't properly identify the host, then the localhost.localdomain will be taken to configure the EM Console. When Attempting to solve the tns entry to access the performance tab or the maintenance tab Oracle won't be able to identify the host declared at the tns entry and it will fail to access, even though the provided credentials and the tns entry seem to be well configured.

4. Changing hostname or fixed IP Address
When networking changes happen then an EM reconfiguration is required.

For further references on HowTo troubleshoot and reconfigure Enterprise Manager I suggest to refer to this link --> Enterprise Manager DB Control Console.

Thursday, October 25, 2007

Who's Who at Oracle Forums

The more time I spend on the Oracle forums the more people I get to know, even though I have never physically seen most of them, only by the kind of regular answers I have been able to 'see' Who's who.

Sybrand Bakker AKA sybrandb
It's funny to see people on the forums who are self qualified as 'Senior Oracle DBA', and when trying to google them on the web the only kind of references obtained so far are at an extreme poor, simple and moronic (thanks Howard for this vocabulary addendum), no white papers found, no meaningful forum participation, no semminars, no references, no history, no blog, no personal web page, no nothing but simple racist, aggressive and rude answers at the Oracle related forums.

I have always said that reading the manual is the first source of Oracle information, but for heavens sake!, RTFM is not a 'Senior DBA Level Answer' I would like to hear, and guess what, just issue a search at the Oracle forum for the RTFM string, and you'll see who is one of the posters who most frequently provides this as an answer.

I though this gentleman was participating at the Oracle forums only, but when googling for 'Sybrand Bakker' I have found several other interesting references on the web with the same signature and the same 'Seior Oracle DBA' Level Answers. Just a xenofobic who shows a lot of aggressivity, lack of manners and lack of knowledge. I couldn't even say if this fellow poster has the OCA and I have not been able to find someone who makes a good reference for Mr. Bakker.

I still cannot understand why someone who definitely hates to write for free and whose contributions are less than binary rubbish, wastes his time writing for nothing but to build up a very ugly reputation.

Sunday, October 07, 2007

My roots


Madrid surname was first found in Old Castile in the heart of Spain, where the name originated in Visigothic times. It means one who came from Madrid, the capital of Spain. When Jews converted to Christianity in Spain in the 15th century, whether voluntarily or by force, they often took a last name based on their town or city or origin.

Some of the first settlers of this family name or some of its variants were: Among the early explorers of the New World were Juan De Madrid, who came to America in 1510; Gonzalo De Madrid, who came to the Dominican Repulic in 1560.

I was born in Mexico City, my roots are both, my family came from Hidalgo, where immigrants from England and Spain settled attracted by the gold and silver mines at Real del Monte, where in 1830 the Cornish first installed the steam mining machinery. One of the family branches later became farmers and settled in Tulancingo, where my mom was born. On my father's side, his family came from Huauchinango to Tulancingo, and there was where my parents met, however they didn't get married there. They lost contact and it was several years later when they met again in Mexico City, where finally I was born.

Monday, October 01, 2007

Is it possible to decrypt the Oracle password?

Oracle's hashed password algorithm, even though is supposed to be secret, it has been shown to be weak due to several vulnerabilities.
Weak Salt SelectionNon-random salt values.Lack of alphabetic case preservation.

On 1993 there was a post on the comp.databases.oracle newsgroup which describes the algorithm in detail, identifying an unknown fixed key as an input parameter. The key was later published on a book named "Special Ops". This has provided enough information to reproduce the algorithm:

1. Concatenate the username and the password to produce a plain text string;

2. Convert the plain text string to uppercase characters;

3. Convert the plain text string to multi-byte storage format; ASCII characters have the high byte set to 0x00;

4. Encrypt the plain text string (padded with 0s if necessary to the next even block length) using the DES algorithm in cipher block chaining (CBC) mode with a fixed key value of0x0123456789ABCDEF;

5. Encrypt the plain text string again with DES-CBC, but using the last block of the output of the previous step (ignoring parity bits) as the encryption key. The last block of the output is converted into a printable string to produce the password hash value.

Let's suppose a user's password is about 12-16 characters, then the algorithm would perform between 6 and 8 DES encryptions to compute the hash value.

The hash algorithm has another weaknesses, it can be calculated out from rainbow tables, which are precomputed hashed passwords which can be used to compare the actual hash password value later.

Ref. An Assessment of the Oracle Password Hashing Algorithm
Carlos CidInformation Security GroupRoyal Holloway, University of London
carlos.cid@rhul.ac.uk
Joshua WrightSANS Institutejwright@sans.org
18. Oct. 2005

Wednesday, September 12, 2007

HowTo Reset SYSMAN's password

Resetting SYSMAN's password Oracle 10gR2

1. Set environment variables

set ORACLE_HOME=yourOracleHome
set ORACLE_SID=yourSID
set PATH=$ORACLE_HOME/bin:$PATH (assuming unix OS)

2. Shutdown EM and ensure your console is completely shutdown.
emctl stop dbconsole
emctl status dbconsole

3. From a SQL plus prompt modify sysman's password
SQL> alter user SYSMAN identified by yourNewPassword;

4. Verify you can open a sqlplus session with the sysman user using the reseted password.
sqlplus sysman/yourNewPassword
SQL>

5. Reconfigure password
a. Change directory to ORACLE_HOME/hostname_sid/sysman/config
b. Backup file emoms.properties
c. Edit the file emoms.properties
d. Look for the line beginning with:
oracle.sysman.eml.mntr.emdRepPwd=
Replace the encrypted value by the new password value
e. Look for the line:
oracle.sysman.eml.mntr.emdRepPwdEncrypted=TRUE
Replace TRUE by FALSE

6. Start the EM service
emctl start dbconsole

7. Verify the above written password has been changed to an encrypted version in the emoms.properties file.

8. Your EM DB Control should be up and running by now.

Wednesday, September 05, 2007

Oracle Enterprise Linux vs. Red Hat Enterprise Linux

Market Share War
After the Oracle's announcement to release OEL, Redhat suffered a 700 million dollars loss of profit, as its shares felt 24%, which can be interpreted in sever al ways as market analyst have stated.

Oracle may be looking to buy it and it is expecting to lower the market share price, so the strategy could be to strangle Red Hat until it has no more oxygen to breath, as since the announcement, the share fell,having the investors stampede in october 2006 when more than 113 million shares had changed hands, compared to the daily average of 6 million. The share reached its bottom price of $15.71 usd. Today it closed at $19.81 usd per share [Ref. 1] but this cannot be compared with the $24.71 usd it reached in the past.


The Strategy
With the announcement, Oracle gets to steal the leading product directly from the leading Linux vendor and package it as part of the application stack they sell. And yes many sites want a single support point for the whole thing.

Edward Screven, Oracle's CTO, said: "We think it's important not to fragment the market. We will maintain compatibility with Red Hat Linux. Every time Red Hat distributes a new version we will resynchronize with their code. All we add are bug fixes, which are immediately available to Red Hat and the rest of the community. We have years of Linux engineering experience. Several Oracle employees are Linux mainline maintainers." [Ref. 2]

Why Oracle isn't the clone of another distro, or even more, why Oracle didn't create its own Oracle distro from scratch when it has the money and the people?

This introduces another message between lines. Oracle will be a high fidelity Red Hat clone because Oracle is hunting Red Hat, it is easier to eat it if it already fits inside.


Why it is better
As Larry Ellison stated on the Open World announcement, he cited a range of problems with current Linux support:
- True Enterprise Support Unavailable from Linux Vendors
- Support from Leading Linux Vendors is Expensive
- No intellectual Property Indemnification from Linux Vendors

Oracle thinks it can do better on service levels:
- Dedicated linux development, test, and delivery teams
- Backed by world's largest software support organization
- Ready 24x7
- 145 countries and 27 languages [Ref. 3]

So, where does this leave us? It will be interesting to see how Red Hat responds. Red Hat is still the premium provider of Linux, that's true so this complicates things, but doesn't significantly change them.


Conclusion
I don't think the day when Oracle will announce the end of support for RHEL will ever come, I think Oracle will do another Block buster buy with Red hat, and it will wipe off the name of red hat and replace it by Oracle Enterprise Linux, alias the Unbreakable Linux.


Monday, July 09, 2007

infrom.exe on my USB


infrom.exe

I have found the infrom.exe on my USB. This virus has spreaded through my USB memories and my digital camera.

This virus could easily be deleted with updated virus scanners, and it is sometimes reported to be adware, or virus.

Troj/ShipUp-A is a Trojan for the Windows platform. When first run Troj/ShipUp-A copies itself to \ccPrxy.exe.

The following registry entry is created to run ccPrxy.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccPrxy.exe - ccPrxy.exe

The following registry entry is set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
9f

Registry entries are created under:
HKLM\SOFTWARE\Microsoft\ShipUp\


The form of infections can be seen as a list of hidden files.

09/04/2004 05:58 AM 21,504 infrom.exe
07/08/2007 10:33 PM 96 AUTORUN.INF
07/08/2007 10:33 PM ms.config
07/08/2007 10:33 PM rm


H:\>dir /s/a ms.config
Directorio de H:\ms.config
07/08/2007 10:33 PM 23,552 ldup.exe
1 archivos 23,552 bytes

H:\>dir /s/a rm
Directorio de H:\rm
07/08/2007 10:33 PM 25,088 sy.exe
1 archivos 25,088 bytes



C:\WINDOWS\ldjs.txt is a logfile that shows all the infections carried out so far.

Sample of contents
2007-05-27 07:43:26
H:\ Space:256M,FreeSpace:9M
Copy File ldup.exe OK!
Copy File sy.exe OK!

file C:\Windows\ldlist.txt (hidden)
ms.config\ldup.exe
rm\sy.exe


There it can be seen the file names and the infection timestamp.

The contents of the AUTORUN.INF file is:
[AutoRun]
open=infrom.exe
shellexecute=infrom.exe
shell\Auto\command=infrom.exe
shell=Auto



Clean Up

In order to get rid of it first, those files have to be deleted from the media. This is just to avoid this to keep on spreading. Next, the root of infections,
  1. delete the entry form HKLM\software\windows\system32\ccprx.exe This name could change, as from other blogs I have seen it registered with different names.
  2. Delete c:\winodws\infrom.dat, c:\windows\ldjs.txt, c:\windows\ldlist.txt, c:\windows\c:\windows\ldup.exe and c:\windows\sy.exe, all of them hidden files.
  3. From the Windows task Manager locate the ccprxy.exe and kill it
    Remove the HKLM\Software\Microsoft\Windows\Run\ccprxy.exe entry
    attrib -h -s C:\Windows\System32\ccprxy.exe
    Remove the C:\Windows\System32\ccprxy.exe file
    Reboot the computer.

    I:\>rd /s/q ms.config
    I:\>rd /s/q rm
    I:\>attrib -h -s infrom.exe
    I:\>attrib -h -s AUTORUN.INF
    I:\>del infrom.exe